Spear Phishing: How Attackers Use Email to Steal Privileged Information, Install Malware & Make Your Life Miserable
Just like real fishing, criminals engaged in phishing dangle tempting bait in front of users in the hope that they can lure them into revealing their login credentials. If you have an email account, you’ve received at least one real looking email, seemingly from a financial institution like a bank or Paypal, asking you to provide your user name, password, or social security number.
Although only 3% of mass phishing emails are opened, and only 8 out of 100,000 people actually submit their private information (or have malware installed that steals their information), mass phishing operations remain profitable by sending out hundreds of millions of emails a day.
Unlike mass phishing, spear phishing uses more sophisticated techniques to target individuals in specific businesses
While mass phishing casts a wide net hoping to catch a few unwary victims, spear phishing is targeted at specific people in specific companies. Spear phishermen are aiming for confidential information and trade secrets that they can sell to your competitors or hostile nation states. Their goal is to get into your system, steal your data (or harness your computing power into a larger criminal network) and get out without you ever knowing about it.
Spear phishing attacks use detailed personal information to camouflage their intent – names, job titles or other information about your company that is easy for an attacker to find from a Google search or LinkedIn profile. This personalized information turns users into victims by encouraging them to drop their guard. They click on that official looking attachment and open the gates of your supposedly secure system to a trojan horse carrying dangerous and destructive malware.
Spear phishers commonly trick people by disguising malicious attachments as a PDF of an internal memo, a spreadsheet, or a UPS or FedEx tracking receipt. Once clicked, the attachment installs malware that steals login credentials or logs keystrokes. Another form of spear phishing is to fake an official looking email from within the company or from a trusted supplier that asks for the user’s login information.
Attackers are known to go to great lengths to present their spear phishing attempts as real, including putting up fake websites complete with bogus press releases. In some cases they will even dumpster dive to get copies of projects, plans, or meeting minutes, then send malicious attachments disguised as amendments to those stolen plans.
How your business can mitigate the damage from spear phishing
Unfortunately there is no ‘one-size-fits-all’ solution to completely protect your company’s systems and data from spear phishing attempts. In the dangerous digital neighborhood your business lives in, it's no longer a question of whether you'll be breached, it's a question of when.
Your first step to reduce the damage of spear phishing ought to be deploying two-factor authentication. If an attacker steals login credentials through spear phishing, a second mode of authentication at login can make it nearly impossible for the attacker to use those credentials to infiltrate your system.
Installing Duo two-factor authentication is the most cost effective way to mitigate the damage from spear phishing attempts. While you can also limit the success of spear phishing with security measures like isolating inbound email in a sandbox and real time inspection of your web traffic, those solutions can be expensive and are often out of reach for startups and more modestly sized companies.
Constant vigilance and thorough training of your workforce is crucial. Don’t make the mistake of thinking only the C-level will be targeted. Attackers will target anyone in your organization that they think they can get a foothold with, and will often send spear phishing emails to a wide audience in the company, hoping that someone will be foolish enough to click on the attachment and lower the drawbridge.
Do you know anyone who has fallen victim to spear phishing attacks? What tactics have you seen? Share your thoughts and experience in the comment section below.